The Forum on Cyber Resilience facilitates and enhances the exchange of ideas among scientists, practitioners, and policy makers concerned with urgent and important issues related to the resilience of the nation's computing and communications systems, including the Internet, other critical infrastructures, and commercial systems. Forum activities help to inform and engage a broad range of stakeholders around issues related to technology and policy in the context of cyber resilience, cybersecurity, privacy, and related emerging issues. A key role for the Forum is to surface and explore topics that can help advance the national conversation around these issues.

Software update has long been a mechanism through which security improvements in systems and devices are made. It is timely, then, to consider the value and prospects for software update as a security mechanism in the future. In what sorts of systems are software updates difficult? What makes it difficult? What incentives can be put in place to ensure that needed updates can be done?

This workshop will bring together software experts, security experts, practitioners, and researchers to explore how software update is accomplished and implications for security and resilience of systems that depend on software. Questions to explore include:

GENERAL: How has ‘software update’ changed over time and what are prospects for the future? How do different technical sectors manage software update? For what sorts of systems is software update likely to be an appropriate method of deploying improvements in resilience and security? What are the advantages and disadvantages of distinguishing and separating feature updates from security updates in software updates? What policy options are there to improve the practice and outcomes of software update (for example, what are the pros and cons of enforcing automatic updates?)

SECURITY RISKS: Do current practices related to software encourage vendors to ship buggy implementations on the assumption that bugs will be fixed later? If insecure-but-updatable products are the only ones available in the market, will they be used in high-value environments that will then fall to 0-day attacks?

END-OF-LIFE: How long should vendors be required to provide security updates? When the support period ends, should source code and signing tools be made open-source to allow third-party updates? Who is liable when products fail (perhaps in unsafe ways) after their support period ends? What are the economic and environmental impacts when products are discarded because essential updates are no longer available?

USER RIGHTS: What rights and obligations should users have? For example, are disclosure of limitations and/or acceptance by end users required (or even practical given the difficulty of understanding legalese, lack of alternatives, and number of devices that users own)? Should users be allowed to reject safety-critical updates (e.g. that may facilitate denial of service attacks against others on the network)? Should patches to address security or safety vulnerabilities be treated differently from updates that modify functionality?

PRIVACY, CONFLICTING INTERESTS: Should vendors be permitted to leverage security update mechanisms as a way to achieve other business objectives, such as obtaining data from users (e.g. to train vendor AI systems), obtaining users' consent to vendor-chosen contractual obligations, modifying device capabilities in ways that may be undesirable to the user, or pressing users to install software products unrelated to the one being updated? What challenges arise when multiple parties (e.g., telecommunications carriers and mobile operating system developers) are involved in software update and what options are there for dealing with them?

COSTS & ACCOUNTING: What are the long-term costs of maintaining software updates for products, and how should these costs be funded? When companies sell a product, do they need to take a charge for the future costs of producing updates for the product?

The workshop will take place February 6, 2017 at the National Academies Keck Center, 500 Fifth Street, NW, Washington DC. A draft agenda will be posted when it is available.